heimdall_tools 1.3.46 → 1.3.50

data/lib/heimdall_tools/asff_compatible_products/securityhub.rb

@@ -0,0 +1,89 @@
+require 'csv'
+require 'json'
+
+module HeimdallTools
+  class SecurityHub
+    private_class_method def self.corresponding_control(controls, finding)
+      controls.find { |c| c['StandardsControlArn'] == finding['ProductFields']['StandardsControlArn'] }
+    end
+
+    def self.supporting_docs(standards:)
+      begin
+        controls = standards.nil? ? nil : standards.map { |s| JSON.parse(s)['Controls'] }.flatten
+      rescue StandardError => e
+        raise "Invalid supporting docs for Security Hub:\nException: #{e}"
+      end
+
+      begin
+        resource_dir = Pathname.new(__FILE__).join('../../../data')
+        aws_config_mapping_file = File.join(resource_dir, 'aws-config-mapping.csv')
+        aws_config_mapping = CSV.read(aws_config_mapping_file, { encoding: 'UTF-8', headers: true, header_converters: :symbol }).map(&:to_hash)
+      rescue StandardError => e
+        raise "Invalid AWS Config mapping file:\nException: #{e}"
+      end
+
+      { controls: controls, aws_config_mapping: aws_config_mapping }
+    end
+
+    def self.finding_id(finding, *, encode:, controls: nil, **)
+      ret = if !controls.nil? && !(control = corresponding_control(controls, finding)).nil?
+              control['ControlId']
+            elsif finding['ProductFields'].member?('ControlId') # check if aws
+              finding['ProductFields']['ControlId']
+            elsif finding['ProductFields'].member?('RuleId') # check if cis
+              finding['ProductFields']['RuleId']
+            else
+              finding['GeneratorId'].split('/')[-1]
+            end
+      encode.call(ret)
+    end
+
+    def self.finding_impact(finding, *, controls: nil, **)
+      if !controls.nil? && !(control = corresponding_control(controls, finding)).nil?
+        imp = control['SeverityRating'].to_sym
+      else
+        # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred.  other values can be in here too such as the original severity rating.
+        imp = finding['Severity'].key?('Label') ? finding['Severity']['Label'].to_sym : finding['Severity']['Normalized']/100.0
+        # securityhub asff file does not contain accurate severity information by setting things that shouldn't be informational to informational: when additional context, i.e. standards, is not provided, set informational to medium.
+        imp = :MEDIUM if imp.is_a?(Symbol) && imp == :INFORMATIONAL
+      end
+      imp
+    end
+
+    def self.finding_nist_tag(finding, *, aws_config_mapping:, **)
+      return {} unless finding['ProductFields']['RelatedAWSResources:0/type'] == 'AWS::Config::ConfigRule'
+
+      entries = aws_config_mapping.select { |rule| finding['ProductFields']['RelatedAWSResources:0/name'].include? rule[:awsconfigrulename] }
+      entries.map do |rule|
+        tags_joined = rule[:nistid].split('|') # subheadings are joined together in the csv file
+        tags_joined.map do |tag|
+          if (i = tag.index('(')).nil?
+            tag
+          else
+            tag[i..-1].scan(/\(.+?\)/).map { |subheading| "#{tag[0..i-1]}#{subheading}" }
+          end
+        end
+      end.flatten.uniq
+    end
+
+    def self.finding_title(finding, *, encode:, controls: nil, **)
+      ret = if !controls.nil? && !(control = corresponding_control(controls, finding)).nil?
+              control['Title']
+            else
+              finding['Title']
+            end
+      encode.call(ret)
+    end
+
+    def self.product_name(findings, *, encode:, **)
+      # "#{findings[0]['ProductFields']['aws/securityhub/CompanyName']} #{findings[0]['ProductFields']['aws/securityhub/ProductName']}"
+      # not using above due to wanting to provide the standard's name instead
+      if findings[0]['Types'][0].split('/')[-1].gsub(/-/, ' ').downcase == findings[0]['ProductFields']['StandardsControlArn'].split('/')[-4].gsub(/-/, ' ').downcase
+        standardname = findings[0]['Types'][0].split('/')[-1].gsub(/-/, ' ')
+      else
+        standardname = findings[0]['ProductFields']['StandardsControlArn'].split('/')[-4].gsub(/-/, ' ').split.map(&:capitalize).join(' ')
+      end
+      encode.call("#{standardname} v#{findings[0]['ProductFields']['StandardsControlArn'].split('/')[-2]}")
+    end
+  end
+end

data/lib/heimdall_tools/asff_mapper.rb

@@ -0,0 +1,232 @@
+require 'json'
+require 'set'
+
+require 'htmlentities'
+
+require 'heimdall_tools/hdf'
+require 'heimdall_tools/asff_compatible_products/firewall_manager'
+require 'heimdall_tools/asff_compatible_products/prowler'
+require 'heimdall_tools/asff_compatible_products/securityhub'
+
+module HeimdallTools
+  DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze
+
+  INSPEC_INPUTS_MAPPING = {
+    string: 'String',
+    numeric: 'Numeric',
+    regexp: 'Regexp',
+    array: 'Array',
+    hash: 'Hash',
+    boolean: 'Boolean',
+    any: 'Any'
+  }.freeze
+
+  # Loading spinner sign
+  $spinner = Enumerator.new do |e|
+    loop do
+      e.yield '|'
+      e.yield '/'
+      e.yield '-'
+      e.yield '\\'
+    end
+  end
+
+  # TODO: use hash.dig and safe navigation operator throughout
+  class ASFFMapper
+    IMPACT_MAPPING = {
+      CRITICAL: 0.9,
+      HIGH: 0.7,
+      MEDIUM: 0.5,
+      LOW: 0.3,
+      INFORMATIONAL: 0.0
+    }.freeze
+
+    PRODUCT_ARN_MAPPING = {
+      %r{arn:.+:securityhub:.+:.*:product/aws/firewall-manager} => FirewallManager,
+      %r{arn:.+:securityhub:.+:.*:product/aws/securityhub} => SecurityHub,
+      %r{arn:.+:securityhub:.+:.*:product/prowler/prowler} => Prowler
+    }.freeze
+
+    def initialize(asff_json, securityhub_standards_json_array: nil, meta: nil)
+      @meta = meta
+
+      @supporting_docs = {}
+      @supporting_docs[SecurityHub] = SecurityHub.supporting_docs({ standards: securityhub_standards_json_array })
+
+      begin
+        asff_required_keys = %w{AwsAccountId CreatedAt Description GeneratorId Id ProductArn Resources SchemaVersion Severity Title Types UpdatedAt}
+        @report = JSON.parse(asff_json)
+        if @report.length == 1 && @report.member?('Findings') && @report['Findings'].each { |finding| asff_required_keys.to_set.difference(finding.keys.to_set).none? }.all?
+          # ideal case that is spec compliant
+          # might need to ensure that the file is utf-8 encoded and remove a BOM if one exists
+        elsif asff_required_keys.to_set.difference(@report.keys.to_set).none?
+          # individual finding so have to add wrapping array
+          @report = { 'Findings' => [@report] }
+        else
+          raise 'Not a findings file nor an individual finding'
+        end
+      rescue StandardError => e
+        raise "Invalid ASFF file provided:\nException: #{e}"
+      end
+
+      @coder = HTMLEntities.new
+    end
+
+    def encode(string)
+      @coder.encode(string, :basic, :named, :decimal)
+    end
+
+    def external_product_handler(product, data, func, default)
+      if (product.is_a?(Regexp) || (arn = PRODUCT_ARN_MAPPING.keys.find { |a| product.match(a) })) && PRODUCT_ARN_MAPPING.key?(arn || product) && PRODUCT_ARN_MAPPING[arn || product].respond_to?(func)
+        keywords = { encode: method(:encode) }
+        keywords = keywords.merge(@supporting_docs[PRODUCT_ARN_MAPPING[arn || product]]) if @supporting_docs.member?(PRODUCT_ARN_MAPPING[arn || product])
+        PRODUCT_ARN_MAPPING[arn || product].send(func, data, **keywords)
+      elsif default.is_a? Proc
+        default.call
+      else
+        default
+      end
+    end
+
+    def nist_tag(finding)
+      tags = external_product_handler(finding['ProductArn'], finding, :finding_nist_tag, {})
+      tags.empty? ? DEFAULT_NIST_TAG : tags
+    end
+
+    def impact(finding)
+      # there can be findings listed that are intentionally ignored due to the underlying control being superceded by a control from a different standard
+      if finding.member?('Workflow') && finding['Workflow'].member?('Status') && finding['Workflow']['Status'] == 'SUPPRESSED'
+        imp = :INFORMATIONAL
+      else
+        # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred.  other values can be in here too such as the original severity rating.
+        default = proc { finding['Severity'].key?('Label') ? finding['Severity']['Label'].to_sym : finding['Severity']['Normalized']/100.0 }
+        imp = external_product_handler(finding['ProductArn'], finding, :finding_impact, default)
+      end
+      imp.is_a?(Symbol) ? IMPACT_MAPPING[imp] : imp
+    end
+
+    def desc_tags(data, label)
+      { data: data || NA_STRING, label: label || NA_STRING }
+    end
+
+    def subfindings(finding)
+      subfinding = {}
+
+      statusreason = finding['Compliance']['StatusReasons'].map { |reason| reason.flatten.map { |string| encode(string) } }.flatten.join("\n") if finding.key?('Compliance') && finding['Compliance'].key?('StatusReasons')
+      if finding.key?('Compliance') && finding['Compliance'].key?('Status')
+        case finding['Compliance']['Status']
+        when 'PASSED'
+          subfinding['status'] = 'passed'
+          subfinding['message'] = statusreason if statusreason
+        when 'WARNING'
+          subfinding['status'] = 'skipped'
+          subfinding['skip_message'] = statusreason if statusreason
+        when 'FAILED'
+          subfinding['status'] = 'failed'
+          subfinding['message'] = statusreason if statusreason
+        when 'NOT_AVAILABLE'
+          # primary meaning is that the check could not be performed due to a service outage or API error, but it's also overloaded to mean NOT_APPLICABLE so technically 'skipped' or 'error' could be applicable, but AWS seems to do the equivalent of skipped
+          subfinding['status'] = 'skipped'
+          subfinding['skip_message'] = statusreason if statusreason
+        else
+          subfinding['status'] = 'error' # not a valid value for the status enum
+          subfinding['message'] = statusreason if statusreason
+        end
+      else
+        subfinding['status'] = 'skipped' # if no compliance status is provided which is a weird but possible case, then skip
+        subfinding['skip_message'] = statusreason if statusreason
+      end
+
+      subfinding['code_desc'] = external_product_handler(finding['ProductArn'], finding, :subfindings_code_desc, '')
+      subfinding['code_desc'] += '; ' unless subfinding['code_desc'].empty?
+      subfinding['code_desc'] += "Resources: [#{finding['Resources'].map { |r| "Type: #{encode(r['Type'])}, Id: #{encode(r['Id'])}#{", Partition: #{encode(r['Partition'])}" if r.key?('Partition')}#{", Region: #{encode(r['Region'])}" if r.key?('Region')}" }.join(', ')}]"
+
+      subfinding['start_time'] = finding.key?('LastObservedAt') ? finding['LastObservedAt'] : finding['UpdatedAt']
+
+      [subfinding]
+    end
+
+    def to_hdf
+      product_groups = {}
+      @report['Findings'].each do |finding|
+        printf("\rProcessing: %s", $spinner.next)
+
+        external = method(:external_product_handler).curry(4)[finding['ProductArn']][finding]
+
+        # group subfindings by asff productarn and then hdf id
+        item = {}
+        item['id'] = external[:finding_id][encode(finding['GeneratorId'])]
+
+        item['title'] = external[:finding_title][encode(finding['Title'])]
+
+        item['tags'] = { nist: nist_tag(finding) }
+
+        item['impact'] = impact(finding)
+
+        item['desc'] = encode(finding['Description'])
+
+        item['descriptions'] = []
+        item['descriptions'] << desc_tags(finding['Remediation']['Recommendation'].map { |_k, v| encode(v) }.join("\n"), 'fix') if finding.key?('Remediation') && finding['Remediation'].key?('Recommendation')
+
+        item['refs'] = []
+        item['refs'] << { url: finding['SourceUrl'] } if finding.key?('SourceUrl')
+
+        item['source_location'] = NA_HASH
+
+        item['results'] = subfindings(finding)
+
+        arn = PRODUCT_ARN_MAPPING.keys.find { |a| finding['ProductArn'].match(a) }
+        if arn.nil?
+          product_info = finding['ProductArn'].split(':')[-1]
+          arn = Regexp.new "arn:.+:securityhub:.+:.*:product/#{product_info.split('/')[1]}/#{product_info.split('/')[2]}"
+        end
+        product_groups[arn] = {} if product_groups[arn].nil?
+        product_groups[arn][item['id']] = [] if product_groups[arn][item['id']].nil?
+        product_groups[arn][item['id']] << [item, finding]
+      end
+
+      controls = []
+      product_groups.each do |product, id_groups|
+        id_groups.each do |id, data|
+          printf("\rProcessing: %s", $spinner.next)
+
+          external = method(:external_product_handler).curry(4)[product]
+
+          group = data.map { |d| d[0] }
+          findings = data.map { |d| d[1] }
+
+          product_info = findings[0]['ProductArn'].split(':')[-1].split('/')
+          product_name = external[findings][:product_name][encode("#{product_info[1]}/#{product_info[2]}")]
+
+          item = {}
+          # add product name to id if any ids are the same across products
+          item['id'] = product_groups.reject { |pg| pg == product }.values.any? { |ig| ig.keys.include?(id) } ? "[#{product_name}] #{id}" : id
+
+          item['title'] = "#{product_name}: #{group.map { |d| d['title'] }.uniq.join(';')}"
+
+          item['tags'] = { nist: group.map { |d| d['tags'][:nist] }.flatten.uniq }
+
+          item['impact'] = group.map { |d| d['impact'] }.max
+
+          item['desc'] = external[group][:desc][group.map { |d| d['desc'] }.uniq.join("\n")]
+
+          item['descriptions'] = group.map { |d| d['descriptions'] }.flatten.compact.reject(&:empty?).uniq
+
+          item['refs'] = group.map { |d| d['refs'] }.flatten.compact.reject(&:empty?).uniq
+
+          item['source_location'] = NA_HASH
+          item['code'] = JSON.pretty_generate({ Findings: findings })
+
+          item['results'] = group.map { |d| d['results'] }.flatten.uniq
+
+          controls << item
+        end
+      end
+
+      results = HeimdallDataFormat.new(profile_name: @meta&.key?('name') ? @meta['name'] : 'AWS Security Finding Format',
+                                       title: @meta&.key?('title') ? @meta['title'] : 'ASFF findings',
+                                       controls: controls)
+      results.to_hdf
+    end
+  end
+end

data/lib/heimdall_tools/aws_config_mapper.rb

@@ -8,7 +8,7 @@ RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
 AWS_CONFIG_MAPPING_FILE = File.join(RESOURCE_DIR, 'aws-config-mapping.csv')
 
 NOT_APPLICABLE_MSG = 'No AWS resources found to evaluate complaince for this rule'.freeze
-INSUFFICIENT_DATA_MSG = 'Not enough data has been collectd to determine compliance yet.'.freeze
+INSUFFICIENT_DATA_MSG = 'Not enough data has been collected to determine compliance yet.'.freeze
 
 ##
 # HDF mapper for use with AWS Config rules.

data/lib/heimdall_tools/cli.rb

@@ -41,6 +41,15 @@ module HeimdallTools
       File.write(options[:output], hdf)
     end
 
+    desc 'xccdf_results_mapper', 'xccdf_results_mapper translates SCAP client XCCDF-Results XML report to HDF format Json be viewed on Heimdall'
+    long_desc Help.text(:xccdf_results_mapper)
+    option :xml, required: true, aliases: '-x'
+    option :output, required: true, aliases: '-o'
+    def xccdf_results_mapper
+      hdf = HeimdallTools::XCCDFResultsMapper.new(File.read(options[:xml])).to_hdf
+      File.write(options[:output], hdf)
+    end
+
     desc 'nessus_mapper', 'nessus_mapper translates nessus xml report to HDF format Json be viewed on Heimdall'
     long_desc Help.text(:nessus_mapper)
     option :xml, required: true, aliases: '-x'
@@ -61,7 +70,7 @@ module HeimdallTools
     option :output_prefix, required: true, aliases: '-o'
     def snyk_mapper
       hdfs = HeimdallTools::SnykMapper.new(File.read(options[:json]), options[:name]).to_hdf
-      puts "\r\HDF Generated:\n"
+      puts "\rHDF Generated:\n"
       hdfs.each_key do |host|
         File.write("#{options[:output_prefix]}-#{host}.json", hdfs[host])
         puts "#{options[:output_prefix]}-#{host}.json"
@@ -75,7 +84,7 @@ module HeimdallTools
     def nikto_mapper
       hdf = HeimdallTools::NiktoMapper.new(File.read(options[:json])).to_hdf
       File.write(options[:output], hdf)
-      puts "\r\HDF Generated:\n"
+      puts "\rHDF Generated:\n"
       puts options[:output].to_s
     end
 
@@ -86,7 +95,7 @@ module HeimdallTools
     def jfrog_xray_mapper
       hdf = HeimdallTools::JfrogXrayMapper.new(File.read(options[:json])).to_hdf
       File.write(options[:output], hdf)
-      puts "\r\HDF Generated:\n"
+      puts "\rHDF Generated:\n"
       puts options[:output].to_s
     end
 
@@ -97,7 +106,7 @@ module HeimdallTools
     def dbprotect_mapper
       hdf = HeimdallTools::DBProtectMapper.new(File.read(options[:xml])).to_hdf
       File.write(options[:output], hdf)
-      puts "\r\HDF Generated:\n"
+      puts "\rHDF Generated:\n"
       puts options[:output].to_s
     end
 
@@ -108,7 +117,7 @@ module HeimdallTools
     def aws_config_mapper
       hdf = HeimdallTools::AwsConfigMapper.new(options[:custom_mapping]).to_hdf
       File.write(options[:output], hdf)
-      puts "\r\HDF Generated:\n"
+      puts "\rHDF Generated:\n"
       puts options[:output].to_s
     end
 
@@ -119,7 +128,7 @@ module HeimdallTools
     def netsparker_mapper
       hdf = HeimdallTools::NetsparkerMapper.new(File.read(options[:xml])).to_hdf
       File.write(options[:output], hdf)
-      puts "\r\HDF Generated:\n"
+      puts "\rHDF Generated:\n"
       puts options[:output].to_s
     end
 
@@ -131,7 +140,7 @@ module HeimdallTools
     def sarif_mapper
       hdf = HeimdallTools::SarifMapper.new(File.read(options[:json])).to_hdf
       File.write(options[:output], hdf)
-      puts "\r\HDF Generated:\n"
+      puts "\rHDF Generated:\n"
       puts options[:output].to_s
     end
 
@@ -146,6 +155,29 @@ module HeimdallTools
       puts options[:output].to_s
     end
 
+    desc 'asff_mapper', 'asff_mapper translates AWS Security Finding Format results from JSON to HDF-formatted JSON so as to be viewable on Heimdall'
+    long_desc Help.text(:asff_mapper)
+    option :json, required: true, banner: 'ASFF-FINDING-JSON', aliases: ['-i', '--input', '-j']
+    option :securityhub_standards, required: false, type: :array, banner: 'ASFF-SECURITYHUB-STANDARDS-JSON', aliases: ['--sh', '--input-securityhub-standards']
+    option :output, required: true, banner: 'HDF-SCAN-RESULTS-JSON', aliases: '-o'
+    def asff_mapper
+      hdf = HeimdallTools::ASFFMapper.new(File.read(options[:json]), securityhub_standards_json_array: options[:securityhub_standards].nil? ? nil : options[:securityhub_standards].map { |filename| File.read(filename) }).to_hdf
+      File.write(options[:output], hdf)
+      puts "\rHDF Generated:\n"
+      puts options[:output].to_s
+    end
+
+    desc 'prowler_mapper', 'prowler_mapper translates Prowler-derived AWS Security Finding Format results from concatenated JSON blobs to HDF-formatted JSON so as to be viewable on Heimdall'
+    long_desc Help.text(:prowler_mapper)
+    option :json, required: true, banner: 'PROWLER-ASFF-JSON', aliases: ['-i', '--input', '-j']
+    option :output, required: true, banner: 'HDF-SCAN-RESULTS-JSON', aliases: '-o'
+    def prowler_mapper
+      hdf = HeimdallTools::ProwlerMapper.new(File.read(options[:json])).to_hdf
+      File.write(options[:output], hdf)
+      puts "\rHDF Generated:\n"
+      puts options[:output].to_s
+    end
+
     desc 'version', 'prints version'
     def version
       puts VERSION

data/lib/heimdall_tools/fortify_mapper.rb

@@ -58,9 +58,9 @@ module HeimdallTools
     def snippet(snippetid)
       snippet = @snippets.select { |x| x['id'].eql?(snippetid) }.first
       "\nPath: #{snippet['File']}\n" \
-      "StartLine: #{snippet['StartLine']}, " \
-      "EndLine: #{snippet['EndLine']}\n" \
-      "Code:\n#{snippet['Text']['#cdata-section'].strip}" \
+        "StartLine: #{snippet['StartLine']}, " \
+        "EndLine: #{snippet['EndLine']}\n" \
+        "Code:\n#{snippet['Text']['#cdata-section'].strip}" \
     end
 
     def nist_tag(rule)

data/lib/heimdall_tools/help/asff_mapper.md

@@ -0,0 +1,6 @@
+  asff_mapper translates AWS Security Finding Format results from JSON to HDF-formatted JSON so as to be viewable on Heimdall
+
+Examples:
+
+  heimdall_tools asff_mapper -i <asff-finding-json> -o <hdf-scan-results-json>
+  heimdall_tools asff_mapper -i <asff-finding-json> --sh <standard-1-json> ... <standard-n-json> -o <hdf-scan-results-json>

data/lib/heimdall_tools/help/prowler_mapper.md

@@ -0,0 +1,5 @@
+  prowler_mapper translates Prowler-derived AWS Security Finding Format results from concatenated JSON blobs to HDF-formatted JSON so as to be viewable on Heimdall
+
+Examples:
+
+  heimdall_tools prowler_mapper -i <prowler-asff-json> -o <hdf-scan-results-json>

data/lib/heimdall_tools/nessus_mapper.rb

@@ -25,8 +25,6 @@ DEFAULT_NIST_REV = 'Rev_4'.freeze
 
 NA_PLUGIN_OUTPUT = 'This Nessus Plugin does not provide output message.'.freeze
 
-# rubocop:disable Metrics/AbcSize
-
 # Loading spinner sign
 $spinner = Enumerator.new do |e|
   loop do
@@ -94,11 +92,17 @@ module HeimdallTools
 
     def finding(issue, timestamp)
       finding = {}
-      # if compliance-result field, this is a policy compliance result entry
-      # nessus policy compliance result provides a pass/fail data
-      # For non policy compliance  results are defaulted to failed
       if issue['compliance-result']
-        finding['status'] = issue['compliance-result'].eql?('PASSED') ? 'passed' : 'failed'
+        case issue['compliance-result']
+        when 'PASSED'
+          finding['status'] = 'passed'
+        when 'ERROR'
+          finding['status'] = 'error'
+        when 'WARNING'
+          finding['status'] = 'skipped'
+        else
+          finding['status'] = 'failed'
+        end
       else
         finding['status'] = 'failed'
       end
@@ -221,8 +225,12 @@ module HeimdallTools
           end
           if item['compliance-reference']
             @item['tags']['nist']     = cci_nist_tag(parse_refs(item['compliance-reference'], 'CCI'))
+            @item['tags']['cci']      = parse_refs(item['compliance-reference'], 'CCI')
+            @item['tags']['rid']      = parse_refs(item['compliance-reference'], 'Rule-ID').join(',')
+            @item['tags']['stig_id']  = parse_refs(item['compliance-reference'], 'STIG-ID').join(',')
           else
             @item['tags']['nist']     = plugin_nist_tag(item['pluginFamily'], item['pluginID'])
+            @item['tags']['rid']      = item['pluginID'].to_s
           end
           if item['compliance-solution']
             @item['descriptions']       << desc_tags(item['compliance-solution'], 'check')

data/lib/heimdall_tools/prowler_mapper.rb

@@ -0,0 +1,8 @@
+module HeimdallTools
+  class ProwlerMapper < ASFFMapper
+    def initialize(prowler_asff_json)
+      # comes as an asff-json file which is basically all the findings concatenated into one file instead of putting it in the proper wrapper data structure
+      super("{ \"Findings\": [#{prowler_asff_json.split("\n").join(',')}]}", meta: { 'name' => 'Prowler', 'title' => 'Prowler findings' })
+    end
+  end
+end

data/lib/heimdall_tools/sonarqube_mapper.rb

@@ -158,7 +158,11 @@ class Control
   # OWASP is stated specifically, ex owasp-a1
   #
   # SonarQube is inconsistent with tags (ex some cwe rules don't have cwe number in desc,) as noted below
-  TAG_DATA = {}.freeze # NOTE: We count on Ruby to preserve order for TAG_DATA
+
+  # rubocop:disable Style/MutableConstant
+  TAG_DATA = {} # NOTE: We count on Ruby to preserve order for TAG_DATA
+  # rubocop:enable Style/MutableConstant
+
   TAG_DATA[:cwe] = {
     # Some rules with cwe tag don't have cwe number in description!
     # Currently only squid:S2658, but it has OWASP tag so we can use that.